PASSWORD CRACKING

PASSWORD CRACKING

The first line of defense for many computers is a password. Although passwords restrict access to a computer, they're the weakest link in any security system. The most secure passwords are lengthy, consisting of random characters, but most people tend to choose simple, easy-to-remember passwords and use the same password for several different systems (for example, their work computer, their America Online account, and their Windows screensaver). If hackers discover a person's password, they'll often have the key to their other accounts, as well.

When a computer requires a password, but you don't know what that password may be, you have several options:

Steal a valid password

Guess the password

Discover the password with a brute-force attack

Stealing a password

If you can get physical access to a computer, the easiest way to steal a password is by shoulder surfing-peeking over someone's shoulder as they type in a password. If that option isn't available, poke around the person's desk. Most people find passwords hard to remember, so they often write them down and store them where they can easily find them, like next to their monitor or inside their desk drawer.

Still can't find that pesky password? Try one of these methods:

A keystroke logger

A desktop-monitoring program

A remote desktop-monitoring program

A password-recovery program

Note

All of these programs require that you have access to the victim's computer so you can install or run the programs without the user's knowledge.

Using a keystroke recorder or logger

Keystroke recorders or loggers record everything a person types, and either sends their typing to a monitoring computer or saves it to a file. The simplest keystroke loggers record anything a user types (see Figure 12-1), which can include incriminating email messages, credit card numbers, and passwords.

Figure 12-1: You can configure what you want a keystroke logger to capture.

When the user leaves the target computer, you can remove the keystroke logging program from their machine and retrieve the logging file that contains the password and anything else they typed (see Figure 12-2). The more advanced keystroke loggers can email the log file of a user's keystrokes to you so you can monitor their activities from another location.

Figure 12-2: A keystroke logger can capture keystrokes so you know what someone typed and what program they used at the time.

To avoid detection, keystroke loggers run in stealth mode, which means that they hide their presence from the user, although they can still be spotted if you know what and where to look. Unless someone suspects that someone has planted a keystroke logger on their computer, chances are good they will never look for, let alone find, a keystroke logger hidden in stealth mode.

To avoid giving away their presence at all, some keystroke loggers are available as hardware devices that plug in between the computer and the keyboard. Such hardware keystroke loggers can be spotted easily just by looking at the back of the computer, but their presence is completely invisible to any software running on that computer. Best of all, unlike their software equivalents that only work under specific operating systems, hardware keystroke loggers work with any operating system running on that computer, such as FreeBSD, Linux, Windows XP, or OS/2.

Some popular hardware keystroke loggers include KeyGhost (http://www.keyghost.com), Hardware KeyLogger (http://www.amecisco.com), and KEYKatcher (http://www.tbotech.com/key-katcher.htm). To find a software keystroke logger, visit Keylogger.org (http://www.keylogger.org), which rates the different keystroke loggers by their features and ease of use.

Spying with a desktop-monitoring program

More powerful than keystroke loggers are desktop-monitoring programs. Like a computer surveillance camera, desktop-monitoring programs secretly record the programs a person uses, how long the person uses each program, the websites viewed, and every keystroke the user types. To show you what a user might be doing, some desktop-monitoring programs can periodically capture the contents of the screen or secretly turn on a webcam to record the person sitting in front of the computer.

Many desktop-monitoring programs can store days of recordings, and some can be set to record at specifically designated times, when certain applications are run, or when a user logs on to the Internet (see Figure 12-3).

Figure 12-3: A desktop-monitoring program can track every program and keystroke used on a specific computer.

Remotely viewing another computer's desktop

Desktop-monitoring programs are useful if you have regular access to the computer you want to watch. But if you don't, you can use a remote desktop-monitoring program instead. Just install a program such as Q-Peek (http://www.qpeek.com), Spector (http://www.netbus.org), or PC Spy (http://www.softdd.com) on the computer you want to monitor. Then, anything anyone types, views, or manipulates on that computer will appear live on your computer's screen.

Using a password-recovery program

Because typing a password over and over again to access a program can be a nuisance, many programs let you store passwords directly in the program, hidden behind a string of asterisks (see Figure 12-4). Because people often forget these passwords and then can't access their programs or files, password-recovery programs have been developed to retrieve these lost or forgotten passwords. You can, of course, also use these programs to retrieve other people's passwords.

Figure 12-4: The Revelation password-recovery program can reveal the password needed to access a user's Internet account.

There are many commercial and free versions of password-recovery programs, such as these:

iOpus Password Recovery XP

http://www.iopus.com

Passware Kit

http://www.lostpassword.com

Peek-a-boo

http://www.corteksoft.com

Revelation

http://www.snadboy.com

Besides blocking access to a program, passwords can also block access to files, like WordPerfect documents or Microsoft Excel spreadsheets. To retrieve or crack password-protected files, get a special password-cracking program from one of these companies (see Figure 12-5):

Figure 12-5: A variety of password-cracking programs are readily available for purchase over the Internet.

AccessData

http://www.accessdata.com

Alpine Snow

http://www.alpinesnow.com

Crak Software

http://www.crak.com

ElcomSoft

http://www.elcomsoft.com

Password Crackers

http://www.pwcrack.com

Passware

http://www.lostpassword.com

Guess a password with a dictionary attack

Most people choose easy-to-remember passwords, which means the odds that someone will choose an ordinary word for a password are extremely high. To find passwords that use ordinary words, hackers have created special password-cracking programs that use dictionary files (sometimes called word lists), which contain actors' names, names of popular cartoon characters, popular rock bands, Star Trek jargon, common male and female names, technology-related words, and other common words found in most dictionaries.

The password-cracking program takes a word from the dictionary file and tries this word as a password to access a computer. If the first word isn't the right password, the password-cracking program tries another word from its dictionary list until it either finds the right password or runs out of words. If the password works, you have access to the program you want. Of course, if it runs out of words in its dictionary file, you can try another dictionary file until you find a valid password or run out of dictionary files. If a password is an ordinary word, it's only a matter of time before a dictionary attack will uncover it.

To increase the odds of uncovering a password, some password-cracking programs will not only try every word in a dictionary file, but also subtle variations of each word, such as spelling the word backwards or adding different numbers on the end. So even though a password like SNOOPY12 won't be found in an ordinary dictionary file, the password-cracking program can still uncover this password by manipulating each word in its dictionary file.

For an example of a dictionary attack tool sold commercially for people to test the security of their networks, visit SolarWinds (http://solarwinds.net). For one of the largest collections of word lists, visit the Wordlist Project (http://wordlists.securityon.net), which offers word lists in various languages, including English, Spanish, Japanese, and Russian.

Brute-force password attacks

Dictionary attacks can find ordinary words or variations of words, but sometimes a password may consist of random characters. In these cases, the only solution is to use a brute-force attack.

As the name implies, a brute-force attack is like prying a password out of a computer by smashing it with a sledgehammer. Instead of trying common words that most people use as passwords, the brute-force method simply tries every possible combination of characters in varying lengths. So, if someone's password is as obscure as NI8$FQ2, a brute-force attack will find that password (and every other password on that computer) eventually.

Brute-force attacks are especially popular when cracking Unix systems, because most Unix systems store the list of account names and passwords in the /etc/passwd file. To provide a small degree of security, Unix encrypts each person's password using an encryption algorithm (also called a hash function), usually using the Data Encryption Standard (DES).

To gain access to Unix computers, hackers simply copy the /etc/passwd file to their own computer so that they can run a dictionary or brute-force attack on that file at their convenience, without risk of being spotted. With a copy of the passwd file on their own computer, hackers can take as much time as they need until either the dictionary or brute-force attack succeeds. Once it finds just one password, the hacker can use that password to gain access to that unlucky person's account.

To find password-cracking programs that use word-list or brute-force attacks, visit these sites: